CISCO ENCOR 350-401 Exam Questions 2025

In the Internet Group Management Protocol version 2 (IGMPv2), a multicast router acting as the querier periodically sends a General Query message to discover which multicast groups have active members on a directly attached network. To ensure this query reaches every multicast-capable host on the local segment, it is sent to the destination IP address 224.0.0.1. This is the IANA-reserved "All Hosts" multicast address. All hosts that support IP multicasting are required to join this group on all their multicast-capable interfaces. This mechanism allows the querier to efficiently solicit Membership Report messages from any host interested in any multicast group.

A. 239.0.0.2: This address is in the administratively scoped multicast range ("limited scope") and is not used for fundamental network control protocols like IGMP.

C. 239.0.0.1: Similar to 239.0.0.2, this is an administratively scoped address intended for private multicast applications, not for IGMP control plane messages.

D. 224.0.0.2: This is the "All Routers" multicast address, used for communication between multicast routers (e.g., PIM, OSPF), not for querying hosts.

1. Internet Engineering Task Force (IETF) RFC 2236: Internet Group Management Protocol

Version 2.

Section 2

"Protocol Description

" Paragraph 2: "Queries are sent with a destination IP address of 224.0.0.1 (the all-hosts group)."

DOI: https://doi.org/10.17487/RFC2236

2. Cisco Systems

Inc.: IP Multicast: IGMP Configuration Guide

Cisco IOS XE Gibraltar 16.12.x.

Chapter: "Configuring IGMP

" Section: "IGMPv2

" Subsection: "Query-Response Process": "The querier periodically sends a general IGMP query to the all-hosts multicast group address 224.0.0.1."

3. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson.

Chapter 4

Section 4.4.2

"IP Multicasting: The Internet Group Management Protocol (IGMP)": This standard university textbook explains that IGMP query messages are sent to the all-systems multicast address 224.0.0.1.

The principle of separation of privilege, also known as the principle of least privilege, is a fundamental security design concept for any system, including REST APIs. It dictates that a client (user, service, or application) should only be granted the minimum set of permissions required to perform its specific, authorized tasks. In the context of a REST API, this means carefully designing roles and access controls so that a consumer can only access the specific endpoints and perform the specific actions (e.g., GET, POST, DELETE) necessary for its function, thereby minimizing the potential attack surface and the impact of a compromised key or token.

B. password hashing: This is a specific cryptographic technique used to securely store credentials. It is an implementation detail, not a high-level architectural design principle for an API.

C. confidential algorithms: This concept, known as "security through obscurity," is an anti-pattern in security design. Robust security relies on public, well-vetted algorithms combined with private, well-managed keys.

D. OAuth: This is a specific authorization framework or protocol. While it is commonly used to secure REST APIs, it is a mechanism to implement security principles like separation of privilege, not the principle itself.

1. National Institute of Standards and Technology (NIST)

Special Publication 800-204A

Building Secure Microservices-based Applications Using Service-Mesh Architecture

December 2019.

Reference: Section 3.1

"Security Principles

" explicitly lists "Least Privilege" as a core principle. It states

"The principle of least privilege requires that a user

process

or component should be given only the minimum privileges essential to perform its intended function." This is directly applicable to API security design.

2. OWASP Foundation

OWASP API Security Top 10 2023.

Reference: The top two vulnerabilities

"API1:2023 - Broken Object Level Authorization" and "API2:2023 - Broken Authentication

" and "API5:2023 - Broken Function Level Authorization" are all fundamentally about failures to correctly implement the principle of least privilege/separation of privilege at different layers of the API.

3. Cisco

Cisco ENCOR 350-401 Official Cert Guide

Volume 2

1st Edition.

Reference: Chapter 23

"Network Security and Monitoring

" discusses access control principles. While not specific to REST

it covers the foundational concept of authorization

which is the mechanism for enforcing separation of privilege. The design of authorization policies for a REST API is directly guided by this principle.

This Cisco Embedded Event Manager (EEM) applet is designed to periodically check for a specific MAC address and shut down the interface where it is found. The script components work together to automate this security action. event timer watchdog time 10: This command configures the trigger for the applet. The watchdog keyword specifies a recurring timer that will execute the applet's actions every 10 seconds. This is the correct timer type for periodic, repeated checks. 2. action 04 regexp "(Gi...)" ...: This action processes the output from the show mac address-table command. The goal is to find the port associated with the MAC address. A regular expression (regexp) is used to match and capture the interface name. The pattern (Gi...) will match any string starting with "Gi" (e.g., GigabitEthernet0/1), and the parentheses () capture this matched string for later use (in action 07). 3. action 05 if $_regexp_result eq 1: This action creates a conditional block. After the regexp action runs, the special EEM variable $_regexp_result is automatically set. It is set to 1 if the regular expression found a match and '0' otherwise. Therefore, if $_regexp_result eq 1 is the correct syntax to execute the subsequent shutdown commands only if the MAC address was found in the table.

Cisco Systems, "Embedded Event Manager Configuration Guide,

Cisco IOS XE": This official guide details the commands and variables for

EEM applets.

o event timer watchdog: The guide describes the watchdog timer as

a "recurring, system-clock-based timer," confirming its use for

periodic execution. (Reference: Chapter: "Writing Embedded Event

Manager Policies," Section: "Configuring an Event Statement").

o action regexp and $_regexp_result: The documentation specifies

that the $_regexp_result built-in variable is set to "1" on a

successful pattern match and "0" on a failure, validating the

conditional if statement. (Reference: Chapter: "Writing Embedded

Event Manager Policies," Section: "EEM Built-In Variables").

o Regular Expression Pattern Matching: The use of parentheses ()

for capturing substrings in a regexp action is standard EEM

functionality, confirming that (Gi...) is used to capture the interface

name. (Reference: Chapter: "Writing Embedded Event Manager

Policies," Section: "Configuring an EEM Policy Action").

In the Cisco Catalyst 9800 Wireless Controller's New Configuration Model, the policy tag is the component that links a specific WLAN Profile to a Policy Profile. The WLAN Profile defines the SSID, while the Policy Profile defines the properties applied to that WLAN, such as VLAN assignment, Quality of Service (QoS) policies, session timeouts, and Access Control Lists (ACLs). By associating a WLAN with a policy profile, the policy tag effectively defines the complete set of properties for that specific WLAN, which is then applied to Access Points (APs) that are assigned that tag.

A. RF tag: This tag assigns radio-frequency (RF) profiles to APs, controlling parameters like data rates, power levels, and channel assignments, not WLAN-specific network policies.

C. AP tag: This is not a specific tag type within the Cisco 9800 configuration model. The model uses Policy, Site, and RF tags, which are assigned to APs.

D. site tag: This tag links APs to site-specific settings, such as an AP Join Profile (e.g., CAPWAP timers) or a FlexConnect Profile, which are not WLAN-specific properties.

1. Cisco Systems

Inc. (2023). Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide

Cisco IOS XE Cupertino 17.9.x. Chapter: "Configuring Tags and Profiles"

Section: "Information About Tags".

This document states

"Policy Tag: The policy tag is the link between a WLAN profile and a policy profile. The policy tag determines which WLANs are broadcasted on an AP

and what policies are applied for a specific WLAN."

2. Cisco Systems

Inc. (2023). Catalyst 9800-L Wireless Controller Data Sheet. Section: "Cisco Catalyst 9800 Series Wireless Controllers".

The data sheet describes the tag-based configuration: "The new configuration model... allows for a logical grouping of APs based on tags. Tags can be defined based on physical location

geography

or AP function. This allows for a much more simplified and intuitive configuration experience... The tags that can be defined are the policy tag

site tag

and RF tag." This confirms the three valid tag types and their purpose in grouping and applying policies.

below Explanation: Task 1: Flexible NetFlow Exporter Configuration This configuration creates a NetFlow exporter on router R1 to send traffic flow data to a collector at 10.10.1.10. Cisco CLI R1(config)# flow exporter NETFLOW_EXPORT R1(config-flow-exporter)# destination 10.10.1.10 R1(config-flow-exporter)# source Loopback0 R1(config-flow-exporter)# transport udp 2055 ! R1(config)# flow monitor NETFLOW_MONITOR R1(config-flow-monitor)# record netflow-original R1(config-flow-monitor)# exporter NETFLOW_EXPORT R1(config-flow-monitor)# cache timeout active 60 ! R1(config)# interface [interface_name] R1(config-if)# ip flow monitor NETFLOW_MONITOR input Explanation: First, a flow exporter is defined, specifying the collector's IP address (destination 10.10.1.10). A source interface (e.g., Loopback0) is best practice for stability. Next, a flow monitor is created to link a flow record template (here, the predefined netflow-original) with the exporter. Finally, the flow monitor is applied to an interface in the desired direction (e.g., input) to begin monitoring traffic. Task 2: Switch Port Analyzer (SPAN) Configuration This configuration sets up a SPAN session on switch Sw1 to mirror all traffic from PC1 and PC2 to interface E1/0. (Note: The specific source interfaces for PC1 and PC2, e.g., E0/1 and E0/2, are assumed as they are not provided in the text). Cisco CLI Sw1(config)# monitor session 2 source interface [PC1_interface] , [PC2_interface] both Sw1(config)# monitor session 2 destination interface E1/0 Explanation: A SPAN session, also known as port mirroring, copies traffic from source ports to a destination port. The command monitor session 2 creates the specified session. The source interface command defines the ports to be monitored; the keyword both ensures traffic is captured in both ingress and egress directions. The destination interface command specifies where the mirrored traffic will be sent. Task 3: IP SLA HTTP GET Configuration This configuration creates an IP Service Level Agreement (SLA) operation on router R1 to send an HTTP GET request to the server at 10.10.1.100 every 600 seconds. Cisco CLI R1(config)# ip sla 1 R1(config-ip-sla)# http-get http://10.10.1.100/ R1(config-ip-sla-http)# exit ! R1(config)# ip sla schedule 1 life forever start-time now frequency 600 Explanation: First, an ip sla operation is created with entry number 1. The operation type is defined as http-get, targeting the specified server URL. Then, the ip sla schedule command activates the operation. It is scheduled to run indefinitely (life forever), begin immediately (start-time now), and repeat every 600 seconds (frequency 600), as required by the task.

Flexible NetFlow:

o Cisco, "Flexible NetFlow Configuration Guide," IOS XE Amsterdam

17.3.x. Sections: "Configuring Flexible NetFlow" and "Components

of Flexible NetFlow".

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/fnetflow/configuration/17-3/fnf-17-3-book/fnf-configuring.html

•

SPAN (Port Mirroring):

o Cisco, "Catalyst 9300 Series Switches, Cisco IOS XE Gibraltar

16.12.x - System Management Configuration Guide," Chapter:

"Configuring SPAN and RSPAN".

o URL:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/sof

tware/release/16-

12/configuration_guide/sys_mgmt/b_1612_sys_mgmt_config_guide

_c9300/configuring_span_and_rspan.html

IP SLA:

o Cisco, "IP SLAs Configuration Guide," IOS XE Gibraltar 16.12.x.

Sections: "Configuring IP SLAs HTTP Operations" and "Scheduling

IP SLAs Operations".

o URL: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipsla/configuration/16-12/ip-sla-16-12-book/ipsla_http.html

Configuration management tools are distinguished by their approach to defining a system's configuration.

• Declarative tools, such as Puppet and Saltstack (using Salt States), focus on the desired end state. You define what the system should look like (e.g., "package 'nginx' must be installed"), and the tool's agent is responsible for figuring out how to achieve that state.
• Procedural tools, such as Chef, focus on the process. You define the specific steps and the order in which they must be executed to reach the desired state. Chef uses "recipes" written in Ruby to script this sequence of actions.

Puppet (Official Documentation):

Source: Puppet, Inc. "Puppet's Declarative Language." Puppet Enterprise 2023.4 Documentation.

Reference: In the section "How Puppet's declarative language works," the documentation states: "Puppet is a declarative, model-based configuration management solution. This means that you define the desired state of the systems in your infrastructure, and Puppet... automatically enforces that state."

Chef (Official Documentation):

Source: Progress Chef. "What is Chef Infra?" Chef Infra Documentation.

Reference: The documentation explains: "Chef Infra uses reusable definitions called 'recipes' to describe the state of your infrastructure. These recipes are written in procedural Ruby code... This procedural approach allows for great flexibility in defining configurations." While individual resources within a recipe are declarative, the recipe itself is a procedural script that is executed in order.

Saltstack (Official Documentation):

Source: Salt Project. "Understanding Salt States." Salt Project 3006.0 Documentation.

Reference: In the section "Declarative vs. Imperative," the documentation states: "Salt States are declarative. This means that a state file declares what the state of a system should be, not how to get it there... Salt determines the 'how' by using the state modules."

Task 1: This configuration modifies the existing access list on R2. The permit eigrp commands explicitly allow EIGRP (IP protocol 88) packets. The host 192.168.213.1 and host 192.168.213.3 stipulations specifically permit traffic from R1 and R3, respectively, which are R2's EIGRP neighbors according to the topology. The any destination wildcard is sufficient as the ACL is applied inbound to R2.

Task 2: This configuration implements Control Plane Policing (CoPP).

• An ACL (COPP_SSH_ACL) is created to identify SSH (TCP port 22) traffic from the 192.168.211.0/24 source network.
• A class-map (COPP_SSH_CLASS) matches traffic defined by that ACL.
• A policy-map (COPP_POLICY) defines the action for that class. The police 8000 command rate-limits the matching SSH traffic to 8,000 bps. Packets exceeding this rate are discarded by default.
• Finally, the service-policy input COPP_POLICY command applies this policy to the router's control plane.

Cisco Systems. (2020). IP Routing: EIGRP Configuration Guide, Cisco IOS XE Release 17.x. "Information About Filtering EIGRP" section. (Documents the use of permit eigrp within access lists to control routing updates).

Cisco Systems. (2021). Control Plane Policing Configuration Guide, Cisco IOS XE. "How to Configure Control Plane Policing" section. (Details the required steps of creating an ACL, class-map, policy-map with the police command, and applying it via the control-plane configuration mode).

Cisco Systems. (2019). Cisco IOS Security Configuration Guide: Security for Management Plane. "Configuring Control Plane Policing" section. (Provides examples and rationale for rate-limiting protocols like SSH to protect the CPU).

Doyle, J. & DeHaven, S. (2006). Routing TCP/IP, Volume 1 (2nd Edition). Cisco Press. Chapter 8: "EIGRP," sub-section "Route Filtering." (Explains mechanisms for filtering EIGRP, including access-lists).

Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.829 Computer Networks, Lecture 15: Router Design. (Discusses the architecture of routers, including the distinction between the data plane and the control plane, which is the target of CoPP configuration).

This Python script manipulates JSON data. 1. read(): The script first opens a file and needs to read its contents into a string variable. The file object's read() method accomplishes this by reading the entire file content. 2. loads(): The json.loads() method (short for "load string") is used to parse a JSON formatted string and convert it into a Python dictionary. This allows the script to manipulate the data using Python's dictionary syntax. 3. dumps(): After modifying the IP address in the Python dictionary, the json.dumps() method (short for "dump string") serializes the Python object back into a JSON formatted string. 4. write(): Finally, the script opens a new file in write mode ("w") and uses the file object's write() method to save the newly created JSON string to the disk.

Python json module documentation: The official Python documentation

details the functions for encoding and decoding JSON. It specifies that

json.loads() is used to deserialize from a string and json.dumps() is used

to serialize to a string.

o Source: Python Standard Library, json — JSON encoder and

decoder, Sections 19.2.1 and 19.2.2.

o URL: https://docs.python.org/3/library/json.html

Python File I/O documentation: The documentation on input and output

explains that file objects created by open() have methods like read() to get

the file's contents and write() to put data into the file.

o Source: Python Tutorial, Section 7.2. Reading and Writing Files.

o URL: https://docs.python.org/3/tutorial/inputoutput.html#methods-offile-objects

In a Cisco Software-Defined Access (SD-Access) fabric, an edge node functions as the access layer switch, connecting endpoints like PCs, IP phones, and IoT devices to the fabric. Its primary responsibilities include acting as the ingress and egress point for traffic originating from or destined to these connected endpoints (A). Additionally, the edge node is responsible for the onboarding process of these endpoints, which involves performing authentication and authorization, typically using 802.1X in conjunction with Cisco ISE, to verify the endpoint's identity and assign appropriate network policies (E).

B. provides the default exit point for fabric traffic: This role is performed by a border node, which connects the SD-Access fabric to external networks (e.g., WAN, internet).

C. provides the default entry point for fabric traffic: This is also a function of a border node, handling traffic entering the fabric from an external network.

D. provides a host database that maps endpoint IDs to a current location: This is the primary function of the control plane node, which runs the LISP Map-Server and maintains the authoritative endpoint-to-locator (EID-to-RLOC) database.

1. Cisco SD-Access Solution Design Guide (CVD) - Cisco DNA Center 2.3.3

"SD-Access Fabric Roles

" Section: "Fabric Edge Nodes." This document states

"The fabric edge nodes are responsible for connecting and authenticating wired endpoints

registering the endpoint identity and location with the control plane

and applying policies to traffic to and from the endpoints." This directly supports that edge nodes authenticate endpoints (E) and

by connecting them

serve as their entry/exit points (A).

2. Cisco ENCOR 350-401 Official Cert Guide

Volume 1

1st Edition

Chapter 25

"Understanding Cisco SD-Access Architecture." The section "SD-Access Fabric Control Plane" (p. 728) explicitly states: "The control plane node... has a host tracking database (HTDB) that stores all the EID-to-RLOC mappings." This confirms that option D is a function of the control plane node

not the edge node.

3. Cisco ENCOR 350-401 Official Cert Guide

Volume 1

1st Edition

Chapter 25

"Understanding Cisco SD-Access Architecture." The section "Endpoint Onboarding" (p. 734) details the authentication process: "The endpoint connects to a port on an edge switch... The edge switch uses MAB or 802.1X to authenticate the endpoint with ISE." This confirms the edge node's role in authentication (E).

The script automates interface failover using two EEM applets:

1. Applet SRV-1-Up: Designed to activate the backup link. It monitors the primary interface (GigabitEthernet4/0/9). When the primary interface changes state to Down, the script triggers no shutdown on the backup interface (GigabitEthernet3/0/10) to bring it online.
2. Applet SRV-1-Down: Designed to deactivate the backup link when the primary recovers. It monitors the primary interface (GigabitEthernet4/0/9) changing state to up. When this occurs, the script issues the shutdown command on the backup interface to revert traffic to the primary path.

Cisco Systems, Inc., "Embedded Event Manager Configuration Guide, Cisco IOS Release 15M&T."

Chapter: "Writing Embedded Event Manager Policies Using Tcl." (Concepts apply to CLI applets).

Section: "EEM Event Detectors," specifically event syslog.

Relevance: Documents how event syslog pattern triggers actions based on matching log messages (e.g., interface state changes).

Cisco Command Reference, "Cisco IOS Network Management Command Reference."

Command: event syslog and action cli command.

Relevance: Validates the syntax used in the image (event syslog pattern "..." and action ... cli command "...").

RFC 3164, "The BSD Syslog Protocol."

Relevance: While generic, it defines the standard format of syslog messages that EEM patterns match against (e.g., timestamp, hostname, message body).